Fuzzer tool

Prior to the research, there existed a fuzzer tool applied on the Internet facing infrastruc- ture of one of the products at Sophos and it seemed reasonable to adapt this technique to test the messages coming from the backend services.

Fuzz testing or fuzzing is a software testing technique, which basically consists in find- ing implementation bugs using semi-random data injection in an automated fashion [43]. Fuzzing can be called as the ”art of automatic bug finding”, and it’s role is to find software implementation faults, and identify them if possible.

Following this idea, a tool was developed, which sends fuzzed messages to the SQS service as the backend services would. For generating the messages, I used Kitty1, an extensible fuzzing framework written in Python.

Description

The fuzzer tool of Froud accepts a JSON ’template’ for the SQS messages, specified in the config file. Those fields need to be marked with hash marks (#), which are intended to be fuzzed during the procedure. The corresponding slice of the config file, including an example SQS template message may look like as follows:

"SQS": { "fuzz_endpoint_url": "https://sqs.us-west-2.amazonaws.com/ $account_id$/test_queue" "sqs_message": { "timestamp":"#2018-10-19#", "id":#1#, "data":"#information" } } Results

The tool managed to find two bugs in the tested products, therefore the approach and the tool both can be considered successful. One of the bugs is a logging error, the system can not process messages above a certain length. The other issue is an unwanted service restart. Sending invalid messages to the SQS queue leads to the restart of one of the services and slows down processing the SQS messages. Even though the backend services

are considered to be reliable regarding the content of the messages, an attacker might compromise the service and by sending large amount of invalid messages, he might achieve Denial of Service.

6.7

Summary

The cyclical characteristic of a penetration test is achieved by pivoting, trying to make use of the previously obtained information. The whole process or partially, the authenticated penetration test can be started over again with potentially a new set of keys that has been acquired in the previous round.

On the whole, the outlined method and recommended tools can be applied on any applica- tion running in the Amazon cloud, resembling the presented web application model. It is worth mentioning that the successful operation of the different tools depends on whether the necessary permissions are granted and actions are allowed. Nevertheless, encountering

AccessDenied responses while using specific tools and performing certain actions implies that the system is protected against that particular attack.

Conclusion

This final chapter reflects the overall research and presents the conclusions. The aim of the research was to examine how penetration testing can be applied on the client side to improve the security of AWS-based environments and to outline a general concept that can be deployed for applications running in the Amazon cloud.

7.1

Research findings

At the beginning of the study, three questions were formulated to achieve the research goals. First, these questions are answered based on the outcomes of the study.

Q1. What should be the objectives of a penetration test, what vulnerabilities exist in the Amazon cloud?

A1. The EC2 metadata service is a great starting point for attackers to acquire AWS keys, if the service can be accessed by leveraging other vulnerabilities, for instance Server-Side Request Forgery or HTTP request proxying.

However, the majority of security breaches so far has been related to S3 buckets. It is either due to improper bucket policy attachment or misuse of Identity and Access Management policies and permissions. Internal misconfigurations can further lead to privilege escalation, data exfiltration or enable establishing backdoors.

Certain countermeasures exist, how one can eliminate these issues, however the objective of a penetration test should be to explicitly reveal the vulnerabilities, if they are present in the system.

Q2. What tools are available for penetration testing in the Amazon cloud and how can they be adapted to the penetration testing methodology?

A2. The presented penetration testing methodology consists of four phases, from which the post-exploitation phase can be considered as an independent authenticated pen- etration test. There exist a great number of tools for testing in the Amazon cloud, covering both authenticated and non-authenticated tests.

The existing Amazon-specific tools are well integrated into the methodology, with special regard to the goal of the different phases and the steps of an authenticated penetration test. In accordance with the findings of the previous question, the majority of the tools focus on internal configurations and try to take advantage of improper settings.

Q3. Is the available toolset able to support a comprehensive penetration test? If not, what tools could be further developed?

A3. A number of areas have been identified, which are not yet or not properly sup- ported with the available toolset regarding authenticated penetration tests. These are ”Understanding the victim” and ”Collecting system information and data”. The research aimed to improve the current state of testing by developing tools that focus on these areas. The tools concentrate on discovering the environment of the compromised system and collecting sensitive information. The discovery covers un- derstanding the entitlements of the accessed instance and finding further available resources. Furthermore, the tools support to collect data from different AWS services and make them publicly accessible.

7.2

Contribution

The objective of a penetration test has been set by identifying those vulnerabilities that have occurred previously in AWS environments and have caused severe security breaches. The thesis has underlined the importance of non-authenticated and authenticated pen- etration tests. The main contribution is that a general method for applications in the Amazon cloud is provided, including integration of specific tools into the methodology. The Amazon related module of Metasploit is one of the tools that has been found to be useful within the post-exploitation phase. A tangible contribution of the research is fixing theGather AWS EC2 Instance Metadata module, which has been merged to Metasploit Framework’s repository.

The goal of the research was to provide a comprehensive method and to extend the avail- able equipment, if necessary. For this reason, a new toolset has been developed to support the areas which were uncovered previously, related to discovery and data exfiltration. Furthermore, a fuzzer tool has been developed as well, for testing the application from the back-end server side. The new toolset is open source, the repository is available on GitHub: https://github.com/reka193/froud.

7.3

Future work

Based on the tested products, a web application model has been introduced which has essentially determined the scope of the test. Even though this predefined model can be considered realistic, a relatively small proportion of the existing AWS services formed part of the research. Extending the scope of the penetration test by including more services in the model would definitely be worthwhile for further research.

It has been discussed how an attacker might stay undetected and clear its tracks, however it is also worth investigating how an attack can be discovered. One potential method is to use honeytokens, which are similar to honeypots, in a sense that they are designed to attract unwitting hackers [47]. As discussed previously, CloudTrail is responsible for monitoring and logging API calls for particular services, therefore it can be leveraged to detect when a certain set of AWS keys are used. These honeytokens are created with all permissions denied, so whenever someone uses them, an access denied error is logged to CloudTrail and an alarm is triggered. It would definitely be an interesting direction to explore the possibilities of honeytokens, how they can be utilized, or potentially, detected.

The tendency of businesses migrating their services to the cloud is not expected to end in the near future. Amazon is continuously widening the range of their services and offering new opportunities to improve the cloud infrastructure. It also implies emergence of new vulnerabilities, attack surfaces and poses additional security risks. Penetration testing appears to be an effective way to evaluate the security of AWS-based environments, however the methodology will always have to be adapted to the current state of AWS infrastructures.

[1] AWS DynamoDB Developer Guide.https://docs.aws.amazon.com/amazondynamodb/ latest/developerguide/Introduction.html. [Accessed: 28 May 2018].

[2] AWS pwn. https://github.com/dagrz/aws pwn. [Accessed: 1 October 2018].

[3] AWS takeover through SSRF in JavaScript. http://10degres.net/aws-takeover-ssrf- javascript/. [Accessed: 17 October 2018].

[4] Cloud Security Alliance’s Security Guidance for Critical Areas of Focus in Cloud Com- puting v4.0. https://downloads.cloudsecurityalliance.org/assets/research/security- guidance/security-guidance-v4-FINAL-feb27-18.pdf. [Accessed: 31 May 2018]. [5] Cross-site Scripting (XSS). https://www.owasp.org/index.php/Cross-

site Scripting (XSS) . [Accessed: 16 October 2018].

[6] Driving Analytics SaaS, PaaS, and IaaS with Managed Services: The Difference that Experts Make. https://www.ironsidegroup.com/2015/06/03/driving-analytics-saas- paas-and-iaas-with-managed-services-the-difference-that-experts-make/. [Accessed: 9 October 2018].

[7] Global market share of cloud infrastructure services in 2017, by vendor.

https://www.statista.com/statistics/477277/cloud-infrastructure-services-market- share/. [Accessed: 27 August 2018].

[8] How to search for Open Amazon s3 Buckets and their contents.

https://buckets.grayhatwarfare.com. [Accessed: 24 October 2018].

[9] Information technology – Cloud computing – Overview and vocabulary. ISO/IEC 17788:2014(E). [Accessed: 04 September 2018].

[10] Instance Metadata and User Data. https://docs.aws.amazon.com/AWSEC2/latest/ UserGuide/ec2-instance-metadata.html. [Accessed: 29 May 2018].

[11] Massive Amazon S3 leaks highlight user blind spots in enterprise race to the cloud. https://www.techrepublic.com/article/massive-amazon-s3-breaches-highlight- blind-spots-in-enterprise-race-to-the-cloud/. [Accessed: 29 May 2018].

[12] Nach der Cloud: Was kommt jetzt? http://smileit.at/blog/tag/cloud-computing/. [Accessed: 23 August 2018].

[13] NIST Special Publication 800-145, The NIST Definition of Cloud Computing.

http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf. [Accessed: 16 May 2018].

[14] Penetration Testing. https://aws.amazon.com/security/penetration-testing/. [Ac- cessed: 23 September 2018].

[15] pentestmonkey - php-reverse-shell. http://pentestmonkey.net/tools/web-shells/php- reverse-shell. [Accessed: 28 October 2018].

[16] Post Exploitation in AWS using Nimbostratus. https://cloudsecops.com/post- exploitation-in-aws/. [Accessed: 28 October 2018].

[17] resource-counter. https://github.com/disruptops/resource-counter. [Accessed: 30 Oc- tober 2018].

[18] Route 53. https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ Wel- come.html. [Accessed: 23 October 2018].

[19] S3-inspector). https://github.com/kromtech/s3-inspector. [Accessed: 31 October 2018].

[20] Server Side Request Forgery. https://www.owasp.org/index.php/ Server Side Request Forgery. [Accessed: 29 May 2018].

[21] Server-Side Request Forgery.https://github.com/swisskyrepo/PayloadsAllTheThings/ tree/master/SSRF%20injectionsummary . [Accessed: 17 October 2018].

[22] Shared Responsibility Model. https://aws.amazon.com/compliance/shared- responsibility-model/. [Accessed: 9 October 2018].

[23] Skew. https://github.com/scopely-devops/skew. [Accessed: 2 October 2018].

[24] System Shock: How A Cloud Leak Exposed Accenture’s Business.

https://www.upguard.com/breaches/cloud-leak-accenture. [Accessed: 29 May 2018].

[25] WeirdAAL (AWS Attack Library). https://github.com/carnal0wnage/weirdAAL/. [Accessed: 2 October 2018].

[26] Security Pillar, AWS Well-Architected Framework.

https://d0.awsstatic.com/whitepapers/architecture/AWS-Security-Pillar.pdf, ”July 2018”. [Accessed: 26 October 2018].

[27] Andres Riancho. Nimbostratus. http://andresriancho.github.io/nimbostratus/. [Ac- cessed: 25 September 2018].

[28] Andres Riancho. Pivoting in Amazon Clouds.

http://andresriancho.github.io/nimbostratus/pivoting-in-amazon-clouds.pdf. [Ac- cessed: 25 September 2018].

[29] AWS Security Blog. IAM Policies and Bucket Policies and ACLs! Oh, My! (Control- ling Access to S3 Resources). https://aws.amazon.com/blogs/security/iam-policies- and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/. [Accessed: 24 September 2018].

[30] Aditya Balapure. Learning Metasploit Exploitation and Development. Packt Publish- ing, 2013.

[31] Catalin Cimpanu. 7% of All Amazon S3 Servers Are Exposed, Explaining Recent Surge of Data Leaks.https://www.bleepingcomputer.com/news/security/7-percent-of- all-amazon-s3-servers-are-exposed-explaining-recent-surge-of-data-leaks/. [Accessed: 20 September 2018].

[32] CyberArk. The Cloud Shadow Admin Threat: 10 Permissions to Pro- tect. https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10- permissions-protect/. [Accessed: 30 October 2018].

[33] Cyware. Insurance startup AgentRun accidentally leaks customers’ personal and health information in cloud configuration error. https://cyware.com/news/insurance- startup-agentrun-accidentally-leaks-customers-personal-and-health-information-in- cloud-configuration-error-b9e885ff. [Accessed: 20 September 2018].

[34] A. K. Dewdney. InComputer Recreations: Of Worms, Viruses and Core War, page 110. Scientific American, March 1989.

[35] Patrick Engebretson. Chapter 1 - what is penetration testing? In Patrick Engebret- son, editor, The Basics of Hacking and Penetration Testing (Second Edition), pages 1 – 18. Syngress, Boston, second edition edition, 2013.

[36] Patrick Engebretson. Chapter 3 - scanning. In Patrick Engebretson, editor, The Basics of Hacking and Penetration Testing (Second Edition), pages 53 – 78. Syngress, Boston, second edition edition, 2013.

[37] Forbes. The One Cloud Security Metric Every CISO Should Know.

https://www.forbes.com/sites/forbestechcouncil/2018/08/09/the-one-cloud-security- metric-every-ciso-should-know/33b677b55375. [Accessed: 14 October 2018].

[38] High-Tech Bridge, Security Blog. Databases exposed on the internet in post- GDPR era. https://www.htbridge.com/blog/databases-exposed-on-the-internet.html. [Accessed: 10 October 2018].

[39] Ionize, Michael Bielenberg. Stealing Amazon EC2 Keys via an XSS Vulnerability.

https://ionize.com.au/stealing-amazon-ec2-keys-via-xss-vulnerability/. [Accessed: 21 September 2018].

[40] Jon Brodkin. Amazon cloud has 1 million users and is near $10 billion in annual sales.https://arstechnica.com/information-technology/2016/04/amazon-cloud-has-1- million-users-and-is-near-10-billion-in-annual-sales/. [Accessed: 15 September 2018]. [41] Ronald L. Krutz and Russell Dean Vines. Cloud Security: A Comprehensive Guide

to Secure Cloud Computing. Wiley Publishing, 2010.

[42] LogicMonitor. Cloud Vision 2020: The Future of the Cloud.

https://www.logicmonitor.com/wp-content/uploads/2017/12/LogicMonitor-Cloud- 2020-The-Future-of-the-Cloud.pdf. [Accessed: 08 September 2018].

[43] OWASP. Fuzzing.https://www.owasp.org/index.php/Fuzzing. [Accessed: 28 Septem- ber 2018].

[44] Peter Benjamin. YAS3BL (Yet Another S3 Bucket Leak).

https://github.com/petermbenjamin/YAS3BL. [Accessed: 16 October 2018].

[45] Rapid7. Gather AWS EC2 Instance Metadata.

https://www.rapid7.com/db/modules/post/multi/gather/aws ec2 instance metadata. [Accessed: 25 September 2018].

[46] Rapid7. Metasploit Documentation. https://metasploit.help.rapid7.com/docs. [Ac- cessed: 25 September 2018].

[47] Rhino Security Labs. AWS IAM Enumeration 2.0: Bypassing CloudTrail Logging). https://rhinosecuritylabs.com/aws/aws-iam-enumeration-2-0-bypassing- cloudtrail-logging/. [Accessed: 5 November 2018].

[48] Rhino Security Labs. AWS Privilege Escalation – Methods and Mitigation.

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/. [Accessed: 30 October 2018].

[49] Rhino Security Labs, Benjamin Caudill. Penetration Testing in the AWS Cloud: What You Need to Know. https://rhinosecuritylabs.com/penetration- testing/penetration-testing-aws-cloud-need-know/. [Accessed: 23 September 2018]. [50] Rhino Security Labs, Spencer Gietzen. Introduction: Pentesting AWS to Secure

the Cloud. https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation- framework/. [Accessed: 26 September 2018].

[51] Sharath AV. AWS Security Flaw which can grant admin access!

https://medium.com/ymedialabs-innovation/an-aws-managed-policy-that-allowed- granting-root-admin-access-to-any-role-51b409ea7ff0. [Accessed: 20 September 2018].

[52] The Register. Uber: Hackers stole 57m passengers, drivers’ info. We also bribed the thieves $100k to STFU. https://www.theregister.co.uk/ 2017/11/22/uber 2016 data breach/. [Accessed: 27 September 2018].

[53] Upguard. The RNC Files: Inside the Largest US Voter Data Leak.

https://www.upguard.com/breaches/the-rnc-files. [Accessed: 20 September 2018]. [54] Yohan Wadia. AWS Administration - The Definitive Guide. Packt Publishing, 2016.